Mozilla is worried that Australia’s proposed decryption laws will break the principles and licensing terms of open source software.
The foundation said in a submission [pdf] to the government that being forced to secretly create vulnerabilities in an open source product would be extremely difficult.
“For an open source organisation, which would need to close portions of its source code and/or release builds that are not made from its publicly released code bases, this is at odds with the core principles of open source, user expectations, and potentially contractual license obligations,” Mozilla said.
Mozilla - like other technology companies - is most concerned about the most extreme type of notice that law enforcement agencies could serve under the proposed laws.
Such '"technical capability notices" (TCNs) would compel a provider “to build a new capability that will enable them to give assistance” to law enforcement or the government, according to explanatory notes.
“A TCN is, in effect, an intentional introduction of a security vulnerability,” Mozilla said.
“We are concerned both about how such vulnerabilities would introduce significant and potentially widespread user and system insecurity.
“In addition to the risk to users from the nominally authorised use of the capabilities provided by the TCN, operating such a system in a way that prevents unauthorised use is inherently problematic, and has in the past been seen to lead to real compromises.”
Mozilla argued that software users would respond by disabling all automated update processes from running on their machines, to prevent them from being used to seed a vulnerability.
“If delivering modified software through update mechanisms is within the intent of the bill, then it creates an incentive for users to disable automated update processes, to preserve their trust and understanding of the software running on their machines,” Mozilla said.
“This leaves those systems vulnerable to attack and compromise. This might seem academic, but Mozilla has first-hand experience of how fragile trust can be.
“At a very high level, any company that is able to run software on a computer is a potential threat to the integrity of any information that computer has access to.
“While steps have been made to isolate software from the actions of other software on the same computer, such protections are currently neither perfect nor uniformly implemented.
“As a result, the ability to run software without fear of unintended effects on the system as a whole depends greatly on trust in the provider of that software.”